POODLE Attack

HostGator's Response to the POODLE Attack

HostGator's Security and Systems Operations teams were aware of this vulnerability almost a week before it hit the mainstream media, and have taken the necessary steps to protect our platform and our customers.

An attack using the POODLE vulnerability is extremely difficult - several conditions and prerequisites would be required, and our Security team already had countermeasures in place for several of these. However, we have disabled SSL 3.0 completely from our core servers out of an abundance of caution, and we also have other measures in place to block the (already very difficult) exploitation of this vulnerability.

What is the POODLE Attack?

Software which communicates across the Internet protects sensitive information by encrypting the data it is sending. Most programs are designed to use up-to-date protocols for encryption, but to also fall back to earlier, less secure protocols such as SSL 3.0 if more modern encryption methods are not available.

POODLE takes advantage of this design by convincing programs to fall back to SSL 3.0, an older protocol which is much more vulnerable to attack than newer protocols.

This vulnerability is less severe than the recent Heartbleed & Shellshock vulnerabilities. However, HostGator is very serious about protecting your data and we want to underscore that our platform is safe from attacks exploiting the POODLE vulnerability.

POODLE is an acronym for "Padding Oracle On Downgraded Legacy Encryption". Interested readers can consult the WikiPedia article on this exploit for more information.

Services Affected by POODLE

The main effect you might see from POODLE comes not from the exploit itself but from the steps being taken to mitigate it. SSL 3.0 support is being withdrawn from new versions of many popular programs, and newer releases of browsers like Chrome and Firefox will not be vulnerable to POODLE.

As a rule, if your own software is running the most recent available update you should not have to worry about POODLE attacks.

A simple way of testing your browser is by going to https://www.poodletest.com. (Note that this only shows potential vulnerability - a positive result does NOT mean you are under attack!)

Older plugins to popular programs like WordPress may have been dependent on SSL 3.0, and updates to browsers and operating systems might cause issues with these. Updating your plugins and addons to the newest version and consulting the designers for support is suggested.

Online services are also dropping support for SSL 3.0, including PayPal and CloudFlare. You may have received notices explaining this change, and some issues might arise from updates by those services. Most are being pro-active in addressing the needs for their customers, and we urge you to consult with any service you use to review any changes required on your part.

SSL certificates from our partner Comodo do not need to be reissued or replaced due to POODLE, and Comodo has created an online tool to assess vulnerability of sites protected by their products here: